From owner-freebsd-security Tue Feb 18 19:51:57 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id TAA28761 for security-outgoing; Tue, 18 Feb 1997 19:51:57 -0800 (PST) Received: from cwsys.cwent.com (0@cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA28736 for ; Tue, 18 Feb 1997 19:51:44 -0800 (PST) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.5/8.6.10) id TAA01277; Tue, 18 Feb 1997 19:51:02 -0800 (PST) Message-Id: <199702190351.TAA01277@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd001274; Wed Feb 19 03:50:52 1997 Reply-to: cys@mailhost.wlc.com X-Mailer: Xmh To: tqbf@enteract.com cc: freebsd-security@freebsd.org Subject: Re: Security problem in FreeBSD /sbin/init In-reply-to: Your message of "Tue, 18 Feb 1997 19:34:11 CST." <199702190134.TAA12057@enteract.com> Date: Tue, 18 Feb 1997 19:50:52 -0800 From: Cy Schubert Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > This problem will probably be picked up by the sweeping audit of your code > base, but I figured I'd alert you to it anyways. > > FreeBSD, in revisions up to and including -current, has a stack overrun in > /sbin/init. The affected routines are "start_getty()" and > "start_window_system()", both of which can be tricked into reading an > overly large "type" entry from the /etc/ttys file (which is copied into an > array on the stack used to hold the "TERM" environment variable for a > subsequent execve() call). > > This overflow is only exploitable if you control /etc/ttys. On almost all > systems, this means it's only an issue if you're root. > > Unfortunately, this is a serious issue in init's case. Unbeknownst to > many, init (or, more specifically, PID 1) can change the securelevel > arbitrarily in 4.4BSD systems. The purpose of securelevels is to "secure > the system from root", disabling the modification of crucial system > binaries. The "immutable" flag depends on this concept. This overflow > provides intruders with a means to evade the immutable (or append-only, or > any other securelevel-dependant concept) mechanism. > > Given my relative unfamiliarity with the FreeBSD CVS "protocol", such as > it is, I'll leave it for another developer to fix this. The problem is an > unchecked string copy in both routines, and can easily be resolved by > sticking an "n" in the strcpy() function call. > > Good luck with the audit. I don't think this is a security problem since /sbin/init has permissions of 500 and /etc/ttys has permissions of 644. Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it."